Advisories for Golang/Github.com/Sylabs/Singularity/V4 package

The limit container paths directive in singularity.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed. For example, the configuration: limit container paths = /data/safe Will also allow containers in /data/safe-but-unsafe to be run.

Native Mode (default) Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules (LSMs), via the –security selinux:<label> or –security apparmor:<profile> flags. LSM labels are written to process or thread attrs/exec under /proc. If a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it …